[Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm

Smart,Dan SmartD at VMCMAIL.com
Thu Jun 26 10:38:17 PDT 2003 

Can I do the same with the sendmail test, remove hfi from the first
condition, and put it before the formail commands...

:0 
*
^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notificatio
n|apparently)-to|Return-Path): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
{
  LOG="TRAPPED: Probable sendmail header exploit"
  :0 hfi
  | formail -A "X-Content-Security: [$HOST] NOTIFY" \
            -A "X-Content-Security: [$HOST] QUARANTINE" \
            -A "X-Content-Security: [$HOST] REPORT: Trapped possible
sendmail header exploit"
}

TIA
<<Dan>>


 

| 
| -----Original Message-----
| From: John D. Hardin [mailto:jhardin at impsec.org] 
| Sent: Thursday, June 26, 2003 11:56 AM
| To: Smart,Dan
| Cc: Email Security Discussion list
| 
| On Thu, 26 Jun 2003, Smart,Dan wrote:
| 
| > John,
| > To add a log statement after a header filter command, what 
| should the 
| > flags be?
| > 
| > The following gives me extraneous flags errors. 
| > 
| > # Trap SoBig (signature as of 06/25/2003) # :0
| > * > 100000
| > * < 120000
| > * ^Content-Type:.*multipart/mixed;
| > {
| >         :0 B hfi
| 
| Take off the "hfi" here.
| 
| >         * ^Please see the attached zip file for details\.
| >         * ^Content-Disposition: attachment;
| >         * ^Content-Transfer-Encoding: base64
| >         * ^Content-(Type|Disposition):.*name *= 
| > *"?(your_details|application|document|screensaver|movie)\.zip"?
| >         {
| >           LOG="TRAPPED: Probable SoBig worm"
| >           :0 hfi
| >             | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
| >                       -A "X-Content-Security: [$HOST] QUARANTINE" \
| >                       -A "X-Content-Security: [$HOST] 
| REPORT: Trapped 
| > SoBig worm - http://securityresponse.symantec.com/av
| 
| Close your braces.
| 
| --
|  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
|  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
|  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
| --------------------------------------------------------------
| ---------
|   The fetters imposed on liberty at home have ever been forged out
|   of the weapons provided for defense against real, pretended, or
|   imaginary dangers from abroad.
|                                             -- James Madison, 1799
| --------------------------------------------------------------
| ---------
|    495 days until the Presidential Election
|

More information about the esd-l mailing list